ABSTRACT
The ever-increasing rate of sophisticated cyber-attacks and its subsequent impact on networks has remained a menace to the security community. Existing network security solutions, including those applying machine learning algorithms, often centre their detection on the identification of threats in individual network events, which is proven inadequate in detecting sophisticated multi-stage attacks. Similarly, SOC analysts whose roles involve detecting advanced threats are faced with a significant amount of false-positive alerts from the existing tools. Their ability to detect novel attacks or variants of existing ones is limited by the lack of expert input from SOC analysts in their creation of the tools; and the use of features that are closely linked to the structure of specific malware which detection models aim to identify. In this work, we conduct a literature review on malware detection tools, reflect on the features used in these approaches and extend the feature-set with novel ones identified by interviewing experienced SOC analysts. We conduct thematic analysis to the qualitative data obtained from the interviews, and our results indicate not only the presence novel generic malware characteristics based on network and application events (web proxy, firewall, DNS), but identify valuable lessons for developing effective SOCs regarding their structure and processes.
- Sandeep Bhatt, Pratyusa K. Manadhata, and Loai Zomlot. 2014. The operational role of security information and event management systems. IEEE Secur. Priv. 12, 5 (2014), 35--41.Google ScholarCross Ref
- Leyla Bilge, Davide Balzarotti, William Robertson, Engin Kirda, and Christopher Kruegel. 2012. Disclosure: Detecting Botnet Command and Control Servers Through Large-scale NetFlow Analysis. Proc. 28th Annu. Comput. Secur. Appl. Conf. (2012), 129--138. Google ScholarDigital Library
- Virginia Braun and Victoria Clarke. 2006. Using thematic analysis in psychology. Qualitative research in psychology 3, 2 (2006), 77--101.Google Scholar
- Toby Bussa, Craig Lawson, and Kelly M. Kavanagh. 2016. Market Guide for Managed Detection and Response Services. https://www.gartner.com/doc/3314023/market-guide-managed-detection-responseGoogle Scholar
- Varun Chandola, Arindam Banerjee, and Vipin Kumar. 2009. Anomaly detection: A survey. ACM Comput. Surv. 41, September (2009), 1--58. Google ScholarDigital Library
- Chi Hoon Chi Hoon Lee, Jin Wook Jin Wook Chung, and Sung Woo Sung Woo Shin. 2006. Network Intrusion Detection Through Genetic Feature Selection. In Seventh ACTS Int. Conf. Softw. Eng. Artif. Intell. Networking, Parallel/Distributed Comput. IEEE, 109--114. Google ScholarDigital Library
- Dhia Mahjoub Dhialite, Thibault Reuille, and Andree Toonk. 2013. Catching Malware En Masse: Dns and Ip Style. Opendns (2013), 1--33.Google Scholar
- Paul Giura and Wei Wang. 2013. A context-based detection framework for advanced persistent threats. Proc. 2012 ASE Int. Conf. Cyber Secur. CyberSecurity 2012 SocialInformatics (2013), 69--74. Google ScholarDigital Library
- Luca Invernizzi, Stanislav Miskovic, Ruben Torres, Christopher Kruegel, Sabyasachi Saha, Giovanni Vigna, Sung-Ju Lee, and Marco Mellia. 2014. Nazca: Detecting Malware Distribution in Large-Scale Networks. In NDSS, Vol. 14. 23--26.Google Scholar
- Kiel Wadner. 2013. 60 Seconds on the Wire: A Look at Malicious. SANS Institute (2013), 0--35.Google Scholar
- Bum Jun Kwon, Jayanta Mondal, Jiyong Jang, Leyla Bilge, and Tudor Dumitras. 2015. The dropper effect: Insights into malware distribution with downloader graph analytics. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 1118--1129. Google ScholarDigital Library
- W Li and A W Moore. 2007. A machine learning approach for efficient traffic classification. Proc. IEEE MASCOTS (2007), 310--317. Google ScholarDigital Library
- McAfee. 2011. Combating Advanced Persistent Threats. Whitepaper (2011), 1--8. https://securingtomorrow.mcafee.com/mcafee-labs/combating-malware-and-advanced-persistent-threats/Google Scholar
- Leigh B Metcalf and Jonathan M Spring. 2013. Passive Detection of Misbehaving Name Servers Passive Detection of Misbehaving Name Servers. (2013).Google Scholar
- Mitre. 2015. Adversarial Tactics, Techniques, and Common Knowledge ATT & CK Matrix Purpose. (2015).Google Scholar
- ISC OARC. 2016. Project Malfease. http://malfease.oarci.netGoogle Scholar
- Open DNS Inc. 2011. The Role of DNS in Botnets. Open DNS Security Whitepaper (2011). http://info.opendns.com/rs/opendns/images/WB-Security-Talk-Role-Of-DNS-Slides.pdfGoogle Scholar
- Sven Ossenbuhl, Jessica Steinberger, and Harald Baier. 2015. Towards Automated Incident Handling: How to Select an Appropriate Response against a Network-Based Attack? Proc. - 9th Int. Conf. IT Secur. Incid. Manag. IT Forensics, IMF 2015 (2015), 51--67. Google ScholarDigital Library
- Dirk Ourston, Sara Matzner, William Stump, and Bryan Hopkins. 2003. Applications of hidden markov models to detecting multi-stage network attacks. In System Sciences, 2003. Proceedings of the 36th Annual Hawaii International Conference on. IEEE, 10--pp. Google ScholarDigital Library
- Sunil Nilkanth Pawar and Rajankumar Sadashivrao Bichkar. 2015. Genetic algorithm with variable length chromosomes for network intrusion detection. Int. J. Autom. Comput. 12, 3 (2015), 337--342. Google ScholarDigital Library
- Roberto Perdisci, Wenke Lee, and Nick Feamster. 2010. Behavioral Clustering of HTTP-based Malware and Signature Generation Using Malicious Network Traces. Proc. 7th USENIX Conf. Networked Syst. Des. Implement. (2010), 26. Google ScholarDigital Library
- Babak Rahbarinia, Marco Balduzzi, and Roberto Perdisci. 2016. Real-Time Detection of Malware Downloads via Large-Scale URL-> File-> Machine Graph Mining. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. ACM, 783--794. Google ScholarDigital Library
- Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis, and Niels Provos. 2013. CAMP: Content-Agnostic Malware Protection. In NDSS.Google Scholar
- Lee Raymond and Claire Renzetti. 1990. The problem of researching sensitive topics. American Behavioral Scientist, Vol. 33 No. 5., Sage Publications, (1990).Google Scholar
- Konrad Rieck, Philipp Trinius, Carsten Willems, and Thorsten Holz. 2011. Automatic Analysis of Malware Behavior using Machine Learning. J. Comput. Secur. (2011), 1--30. Google ScholarDigital Library
- Terence Slot. 2015. Detection of APT Malware through External and Internal Network Traffic Correlation. Master Thesis, University of Twente March (2015).Google Scholar
- Robin Sommer and Vern Paxson. 2010. Outside the Closed World: On Using Machine Learning for Network Intrusion Detection. 2010 IEEE Symp. Secur. Priv. 0, May (2010), 305--316. Google ScholarDigital Library
- Splunk. 2017. Logging with Splunk. http://dev.splunk.com/view/logging-with-splunk/SP-CAAADP5Google Scholar
- Jack W Stokes, John C Platt, and Joseph Kravis. 2008. ALADIN: Active Learning of Anomalies to Detect Intrusion. Microsoft (2008).Google Scholar
- Nikos Virvilis and Dimitris Gritzalis. 2013. The big four - What we did wrong in advanced persistent threat detection? Proc. - 2013 Int. Conf. Availability, Reliab. Secur. ARES 2013 (2013), 248--254. Google ScholarDigital Library
- David H Wolpert. 2012. What the No Free Lunch Theorems Really Mean; How to Improve Search Algorithms. Working Paper, Santa Fe Institute (2012).Google Scholar
- Tf Yen, Alina Oprea, and K Onarlioglu. 2013. Beehive: large-scale log analysis for detecting suspicious activity in enterprise networks. Proc. 29th Annu. Comput. Secur. Appl. Conf (2013), 199--208. Google ScholarDigital Library
- Joseph Zadeh, George Apostolopoulos, Christos Tryfonas, and Muddu Sudhakar. 2015. Defense at Scale: Building a Central Nervous System for the SOC. Blackhat 2015 (2015), 1--8.Google Scholar
- Junjie Zhang, Christian Seifert, Jack W Stokes, and Wenke Lee. 2011. Arrow: Generating signatures to detect drive-by downloads. In Proceedings of the 20th international conference on World wide web. ACM, 187--196. Google ScholarDigital Library
- David Zhao, Issa Traore, Bassam Sayed, Wei Lu, Sherif Saad, Ali Ghorbani, and Dan Garant. 2013. Botnet detection based on traffic behavior analysis and flow intervals. Comput. Secur. 39 (2013), 2--16. arXiv:arXiv:1011.1669v3 Google ScholarDigital Library
- Chenfeng Vincent Zhou, Christopher Leckie, and Shanika Karunasekera. 2010. A survey of coordinated attacks and collaborative intrusion detection. Comput. Secur. 29, 1 (2010), 124--140. Google ScholarDigital Library
- Mohamad Fadli Zolkipli and Aman Jantan. 2010. Malware behavior analysis: Learning and understanding current malware threats. Proc. - 2nd Int. Conf. Netw. Appl. Protoc. Serv. NETAPPS 2010 2009 (2010), 218--221. Google ScholarDigital Library
Recommendations
Correlation Analysis between Spamming Botnets and Malware Infected Hosts
SAINT '11: Proceedings of the 2011 IEEE/IPSJ International Symposium on Applications and the InternetMany of recent cyber attacks are being launched by botnets for the purpose of carrying out large-scale cyber attacks such as spam emails, Distributed Denial of Service (DDoS), network scanning and so on. In many cases, these botnets consist of a lot of ...
Detecting and Defending against Worm Attacks Using Bot-honeynet
ISECS '09: Proceedings of the 2009 Second International Symposium on Electronic Commerce and Security - Volume 01We proposed a worm detection and defense system named bot-honeynet in this paper, which combines the best features of honeynet, anomaly detection and botnet. The combination of honeynet and anomaly detection system offers a tradeoff between false ...
The Next Malware Battleground: Recovery After Unknown Infection
Malware has become a natural aspect of Internet computing due to the imperfectness of systems that identify malware and prevent their installation. Our ability to control the volume of unwanted and malicious traffic on the Internet—the spam messages, ...
Comments